pkg:npm/next

47 total CVEsCRITICAL1HIGH16MEDIUM18LOW4

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.1CVE-2025-29927Authorization Bypass in Next.js Middleware
    >= 13.0.0, < 13.5.9
  • HIGH8.6CVE-2026-44578Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades
    >= 13.4.13, < 15.5.16
  • HIGH8.1CVE-2026-44574Next.js has a Middleware / Proxy bypass through dynamic route parameter injection
    >= 15.4.0, < 15.5.16
  • HIGH7.5CVE-2026-45109Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
    >= 15.2.0, < 15.5.18
  • HIGH7.5CVE-2026-44579Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components
    >= 15.0.0, < 15.5.16
  • HIGH7.5CVE-2026-44575Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes
    >= 15.2.0, < 15.5.16
  • HIGH7.5CVE-2026-44573Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n
    >= 12.2.0, < 15.5.16
  • HIGH7.5CVE-2025-49826Next.JS vulnerability can lead to DoS via cache poisoning
    >= 15.0.4-canary.51, < 15.1.8
  • HIGH7.5CVE-2024-51479Next.js authorization bypass vulnerability
    >= 9.5.5, < 14.2.15
  • HIGH7.5CVE-2024-46982Next.js Cache Poisoning
    >= 13.5.1, < 13.5.7
  • HIGH7.5CVE-2024-39693Next.js Denial of Service (DoS) condition
    >= 13.3.1, < 13.5.0
  • HIGH7.5CVE-2024-34351Next.js Server-Side Request Forgery in Server Actions
    >= 13.4.0, < 14.1.1
  • HIGH7.5CVE-2024-34350Next.js Vulnerable to HTTP Request Smuggling
    >= 13.4.0, < 13.5.1
  • HIGH7.5CVE-2021-43803Unexpected server crash in Next.js.
    >= 12.0.0, < 12.0.5
  • HIGH7.5CVE-2021-39178XSS in Image Optimization API for Next.js
    >= 10.0.0, < 11.1.1
  • HIGH7.5CVE-2018-6184Directory traversal vulnerability in Next.js
    >= 1.0.0, < 4.2.3
  • HIGH7.5CVE-2017-16877Next.js Directory Traversal Vulnerability
    >= 1.0.0, < 2.4.1
  • MEDIUM6.9CVE-2021-37699Open Redirect in Next.js
    >= 0.9.9, < 11.1.0
  • MEDIUM6.5CVE-2025-57822Next.js Improper Middleware Redirect Handling Leads to SSRF
    >= 0.9.9, < 14.2.32
  • MEDIUM6.2CVE-2025-57752Next.js Affected by Cache Key Confusion for Image Optimization API Routes
    >= 0.9.9, < 14.2.31
  • MEDIUM6.1CVE-2026-44580Next.js has cross-site scripting in beforeInteractive scripts with untrusted input
    >= 13.0.0, < 15.5.16
  • MEDIUM6.1CVE-2018-18282Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page
    >= 7.0.0, < 7.0.2
  • MEDIUM5.9CVE-2026-44577Next.js has a Denial of Service in the Image Optimization API
    >= 10.0.0, < 15.5.16
  • MEDIUM5.9CVE-2025-59472Next.js has Unbounded Memory Consumption via PPR Resume Endpoint
    >= 16.0.0-beta.0, < 16.1.5
  • MEDIUM5.9CVE-2025-59471Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
    >= 10.0.0, < 15.5.10
  • MEDIUM5.9CVE-2024-47831Denial of Service condition in Next.js image optimization
    >= 10.0.0, < 14.2.7
  • MEDIUM5.9CVE-2022-23646Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0
    >= 10.0.0, < 12.1.0
  • MEDIUM5.9CVE-2022-21721Denial of Service Vulnerability in next.js
    >= 12.0.0, < 12.0.9
  • MEDIUM5.4CVE-2026-44576Next.js vulnerable to cache poisoning in React Server Component responses
    >= 14.2.0, < 15.5.16
  • MEDIUM5.3CVE-2024-56332Next.js Allows a Denial of Service (DoS) with Server Actions
    >= 13.0.0, < 13.5.8
  • MEDIUM5.3CVE-2022-36046Unexpected server crash in Next.js
    >= 12.2.3, < 12.2.4
  • MEDIUM4.7CVE-2026-44581Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces
    >= 13.4.0, < 15.5.16
  • MEDIUM4.7CVE-2020-15242Open Redirect in Next.js versions
    >= 9.5.0, < 9.5.4
  • MEDIUM4.4CVE-2020-5284Directory Traversal in Next.js
    >= 0.9.9, < 9.3.2
  • MEDIUM4.3CVE-2025-55173Next.js Content Injection Vulnerability for Image Optimization
    >= 0.9.9, < 14.2.31
  • LOW3.7CVE-2026-44572Next.js's Middleware / Proxy redirects can be cache-poisoned
    >= 12.2.0, < 15.5.16
  • LOW3.7CVE-2026-44582Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting
    >= 13.4.6, < 15.5.16
  • LOW3.7CVE-2025-49005Next.js has a Cache poisoning vulnerability due to omission of the Vary header
    >= 15.3.0, < 15.3.3
  • LOW3.7CVE-2025-32421Next.js Race Condition to Cache Poisoning
    >= 0.9.9, < 14.2.24
  • CVE-2026-29057Next.js: HTTP request smuggling in rewrites
    >= 16.0.0-beta.0, < 16.1.7
  • CVE-2026-27980Next.js: Unbounded next/image disk cache growth can exhaust storage
    >= 16.0.0-beta.0, < 16.1.7
  • CVE-2026-27979Next.js: Unbounded postponed resume buffering can lead to DoS
    >= 16.0.1, < 16.1.7
  • CVE-2026-27978Next.js: null origin can bypass Server Actions CSRF checks
    >= 16.0.1, < 16.1.7
  • CVE-2026-27977Next.js: null origin can bypass dev HMR websocket CSRF checks
    >= 16.0.1, < 16.1.7
  • CVE-2025-48068Information exposure in Next.js dev server due to lack of origin verification
    >= 15.0.0, < 15.2.2
  • CVE-2025-30218Next.js may leak x-middleware-subrequest-id to external hosts
    >= 12.3.5, < 12.3.6
  • CVE-2023-46298Next.js missing cache-control header may lead to CDN caching empty reply
    >= 0.9.9, < 13.4.20-canary.13